Huawei - Access Controllers

(ACs)
Purpose

This guide shows how to configure a Huawei device with the following AP models running

​ V200R006C10SPC800:
firmware Fit​AP_Model_

● AP6010SN-GN

● AP6010DN-AGN

● AP6310SN-GN

● AP6510DN-AGN

● AP6610DN-AGN

● AP7110SN-GN

● AP7110DN-AGN

● AP5010SN-GN
● AP5010DN-AGN

● AP3010DN-AGN

● AP6510DN-AGN-US

● AP6610DN-AGN-US

● AP5030DN

● AP5130DN

● AP7030DE

● AP2010DN

● AP8130DN
● AP8030DN

● AP9330DN

● AP4030DN
 ● AP4130DN

● AP3030DN

● AP2030DN

● AP9131DN
● AP9132DN

● AP5030DN-S

● AP3010DN-V2

Please note that the images contained in this article may have outdated configuration data.
Please check the data in the article "Parameters for the Solution" at the bottom of the page, as

that information is up to date.

Prerequisites

The configuration procedure has been performed and tested on Huawei Access Controller

AC6005-8-PWR running firmware VRP (R) software, Version 5.130 (AC6005 V200R006C10)

and Access Point AP5030DN running firmware ​FitAP5X30XN_V200R006C10SPC800​.

Before integrating the Access Controller with Lyzntech Angaza, it is necessary that it is
connected to the Internet and reachable on the network and has open the ​UDP port 2000​.

This guide will refer to the Access Controller AC6005 and the network architecture in the picture

below.

In this case:

● Network 1​ includes the Access Controller

● Network 2​ includes the Access Points, any switch or any client
For all other network topologies. please contact Huawei support or read through the Huawei

documentation available their site: http://support.huawei.com/.

Accessing the device

By default, the Access Controller has the following IP address: 169.254.1.1. You can manage

and configure the AC by Telnet or by opening a web browser, visiting the following URL:

http://169.254.1.1 and logging in as the admin user with a default password

[email protected]​. This guide will drive the configuration based on CLI.

Network 1 (AC)
Ethernet interfaces and VLANs

● Configure a Service VLAN and the CapWap source IP address (in this example is the

IP address configured in ​Vlan150​) on the GigabitEthernet interface attached to your

default gateway (GigabitEthernet0/0/1).

● Configure a management VLAN. (Management of APs - ​Vlan30)​ .

● Configure the CapWap source to your public IP address of the AC 6005.

● Configure a tagged VLAN. (Service for the STAs - ​Vlan200)​

In Telnet session, we start to configure the VLAN interface GigabitEthernet 0/0/1 as following:

<AC-6005>system-view

Enter system view, return user view with Ctrl+Z.

# Change the system name to the public IP address of the AC 6005.​ This is a mandatory step

and the name of the controller needs to be its public IP address. If AC controller uses

private IP address, then you need to provide public IP address after NATting.​

[AC-6005]sysname 151.0.208.150

# VLAN / Capwap source (public IP address of the AC 6005)

[151.0.208.150]interface vlanif 150

[151.0.208.150-Vlanif150]description public-ip-AC

[151.0.208.150-Vlanif150]ip address 151.0.208.150 29

[151.0.208.150-Vlanif150]quit
# Service VLAN with the address pool of the STAs (Client devices will connect to AP)

[151.0.208.150]interface vlanif 200

[151.0.208.150-Vlanif200]description service-VLAN

[151.0.208.150-Vlanif200]ip address 192.168.50.1 24

[151.0.208.150-Vlanif200]quit

# Management VLAN (IP pool for APs)

[151.0.208.150]interface vlanif 30

[151.0.208.150-Vlanif30]description Management-VLAN

[151.0.208.150-Vlanif30]ip address 192.168.30.1 24

[151.0.208.150-Vlanif30]quit

# Associate the VLAN created to interface GigabitEthernet 0/0/1

[151.0.208.150]interface GigabitEthernet0/0/1

[151.0.208.150-GigabitEthernet0/0/1]port hybrid pvid vlan 150

[151.0.208.150-GigabitEthernet0/0/1]port hybrid tagged vlan 200

[151.0.208.150-GigabitEthernet0/0/1]port hybrid untagged vlan 30 150

[151.0.208.150-GigabitEthernet0/0/1]quit

[151.0.208.150]vlan batch 30, 150, 200

# Capwap source is the public IP address of the AC

[151.0.208.150]capwap source ip-address 151.0.208.150

# Add the default gateway of the AC. In this case 151.0.208.145

[151.0.208.150]ip route-static 0.0.0.0 0.0.0.0 151.0.208.145

[151.0.208.150]quit

<151.0.208.150>save

# Verify the portal version of the AC

[151.0.208.150]undo web-auth-server version

The Portal version on the AC should be set to Ver 1. If the AC is running on a different version

then you can execute the following command.

Configuring ACL and free-rules (Walled garden)

Security consideration.​ To permit the connections between the Portal Server and the Access

Controller, it's necessary the AC is reachable from the Internet and have open the UDP port

2000 (check your firewall configuration guide).

# Free domains

[151.0.208.150]passthrough-domain name *.lyzntech.co.ke id 1

# Example to configure free domains for facebook login

[151.0.208.150]passthrough-domain name *.facebook.com id 2

[151.0.208.150]passthrough-domain name *.facebook.net id 3

# ACL

[151.0.208.150]acl number 6000

[151.0.208.150]rule 4 permit ip destination 8.8.8.8 0

[151.0.208.150]rule 5 permit udp source 0.0.0.0 0 destination-port eq

dns

# RADIUS server

[151.0.208.150]rule 6 permit ip destination 54.247.117.188 0

[151.0.208.150]rule 39 permit tcp destination passthrough-domain

*.lyzntech.co.ke

[151.0.208.150]rule 40 permit tcp destination passthrough-domain

*.facebook.com

[151.0.208.150]rule 41 permit tcp destination passthrough-domain

*.facebook.net

[151.0.208.150]rule 42 permit tcp destination passthrough-domain

*.fbcdn.net

# Create a free rule template

[151.0.208.150]free-rule-template name free1

[151.0.208.150-free-rule-free1]free-rule acl 6000

Configuring RADIUS server template

[151.0.208.150]radius-server template radius

# Lyzntech Angaza RADIUS server IP: 54.247.117.188 authentication port: 1812, accounting

port:1813

[151.0.208.150-radius]radius-server shared-key cipher ​secret provided

by Lyzntech Angaza

[151.0.208.150-radius]radius-server authentication 54.247.117.188

1812

[151.0.208.150-radius]radius-server accounting 54.247.117.188 1813

[151.0.208.150-radius]radius-server user-name domain-included

[151.0.208.150-radius]quit

[151.0.208.150]aaa

[151.0.208.150-aaa]authentication-scheme radius

[151.0.208.150-aaa-authen-radius]authentication-mode radius

[151.0.208.150-aaa-authen-radius]quit

[151.0.208.150-aaa]authorization-scheme radius

[151.0.208.150-aaa-author-radius]authorization-mode if-authenticated

[151.0.208.150-aaa-author-radius]quit
[151.0.208.150-aaa]accounting-scheme radius

[151.0.208.150-aaa-accounting-radius]accounting-mode radius

[151.0.208.150-aaa-accounting-radius]accounting realtime 900

[151.0.208.150-aaa-accounting-radius]quit

[151.0.208.150-aaa]domain d1

[151.0.208.150-aaa-domain-d1]authentication-scheme radius

[151.0.208.150-aaa-domain-d1]authorization-scheme radius

[151.0.208.150-aaa-domain-d1]accounting-scheme radius

[151.0.208.150-aaa-domain-d1]radius-server radius

Configuring URL template and authentication profile

[151.0.208.150]url-template name u1

[151.0.208.150-url-template-u1]url

https://captiveportal.lyzntech.co.ke

# Uam parameters

[151.0.208.150-url-template-u1]url-parameter user-ipaddress
wlanuserip ac-ip wlanacip ac-mac wlanacmac ap-ip wlanapip ap-mac

wlanapmac redirect-url wlanuserfirsturl ssid ssid sysname wlanacname

user-mac wlanusermac
[151.0.208.150-url-template-u1]quit

[151.0.208.150]web-auth-server web

[151.0.208.150-web-auth-server-web]server-ip 54.247.117.188 ​(Lyzntech

Angaza splash portal ip)

[151.0.208.150-web-auth-server-web]port 50100 ​(default port

communication between AC-Portal)

[151.0.208.150-web-auth-server-web]url-template u1

[151.0.208.150-web-auth-server-web]source-ip 151.0.208.150

[151.0.208.150-web-auth-server-web]quit

[151.0.208.150]portal-access-profile name portal

[151.0.208.150-portal-access-profile-portal]web-auth-server web
direct

[151.0.208.150-portal-access-profile-portal]quit

[151.0.208.150]authentication-profile name portal

[151.0.208.150-authentication-profile-portal]portal-access-profile
portal

[151.0.208.150-authentication-profile-portal]free-rule-template free1

[151.0.208.150-authentication-profile-portal]access-domain d1

[151.0.208.150-authentication-profile-portal]authentication
roam-accounting
[151.0.208.150-authentication-profile-portal]update-session-mode

[151.0.208.150-authentication-profile-portal]authentication-scheme
radius

[151.0.208.150-authentication-profile-portal]accounting-scheme radius

[151.0.208.150-authentication-profile-portal]authorization-scheme

radius

[151.0.208.150-authentication-profile-portal]radius-server radius

Configuring WLAN, SSID profile, and VAP profile

# Create SSID Profile

[151.0.208.150]wlan

[151.0.208.150-wlan-view]ssid-profile name C4W-huawei

[151.0.208.150-C4W-huawei]ssid ​name_of_ssid

[151.0.208.150-C4W-huawei]quit

# Create VAP Profile and associate it with authentication profile

[151.0.208.150-wlan-view]vap-profile name C4W-huawei

[151.0.208.150-wlan-vap-prof-C4W-huawei]service-vlan vlan-id 200

[151.0.208.150-wlan-vap-prof-C4W-huawei]ssid-profile C4W-huawei
[151.0.208.150-wlan-vap-prof-C4W-huawei]security-profile C4W-huawei

[151.0.208.150-wlan-vap-prof-C4W-huawei]authentication-profile portal

Configuring AP group and setting the radio profile to vap-profile

The following schema defines the functional priorities of the operations necessary to configure

AP groups, radio profile, and vap-profile.

# Create a new ap-group

[151.0.208.150-wlan-view]ap-group name default

[151.0.208.150-wlan-ap-group-default]vap-profile C4W-huawei wlan

id_wlan ​radio all

# Change the AP update mode to ac-mode

[151.0.208.150-wlan-view]ap update mode ac-mode

[151.0.208.150-wlan-view]ap auth-mode no-auth

Entering the device details into the Admin Panel

For Huawei devices, the Lyzntech Angaza platform requires only the ​MAC address.​ The

Identifier​ field is not required.

Network 2 (APs and STAs)

It’s mandatory to configure the following VLAN on a local switch:

1. The service VLAN with the same ID as the previously configured on the AC (Vlan200)
with a ​DHCP server​ for the ​STAs ​(customer devices) will connect through the ​SSID.​

In this case, the address pool will be 192.168.50.1/24.

2. The Management VLAN for the APs with the same ID and pool as the previously

configured on the AC (Vlan30) with a DHCP server for the APs. In this case, the pool

will be 192.168.30.1/24.

3. We have 2 possibilities to configure the CapWap source IP address on APs.

 1. Recommended for a small number of APs

Enter for each AP via telnet or ssh with the default credentials

admin/[email protected].​

In this example AC_ip_address = 151.0.208.150 (Capwap source IP

address)

[fce3-3ca3-c820]ap-address static ac-list

‘AC_ip_address’

Info: The configuration takes effect after the AP is restarted.

[fce3-3ca3-c820]reboot

2. Recommended for a large number of APs

In the DHCP server for management APs configure an option-43 with

sub-option 2 ip-address ‘AC_ip_address’. In this specific example, we have

option 43 sub-option 2 ip-address 151.0.208.150

Parameters for the Solution

Network 1 (Access Controller)

● The system name of the AC has to set to a public IP address.

● Configure a service VLAN in tagged mode (Vlan200).

● Configure a management VLAN (to manage the APs) (Vlan30).

● Capwap source IP address has to be set to AC IP address.

● Configure ACL to permit navigation to *.lyzntech.co.ke domain and Lyzntech Angaza

RADIUS IP address.
 ○ RADIUS server primary(Authentication) → 54.247.117.188 on port 1812

secret provided by Lyzntech Angaza.

○ RADIUS server primary(Accounting) → 54.247.117.188 on port 1813

secret provided by Lyzntech Angaza.

● Configure the RADIUS server template:

radius-server shared-key cipher ​secret provided by Lyzntech

Angaza

radius-server authentication 54.247.117.188 1812

radius-server accounting 54.247.117.188 1813

● Set URL to Lyzntech Angaza Splash portal

url https://captiveportal.lyzntech.co.ke

url-parameter user-ipaddress wlanuserip user-mac wlanusermac

ac-ip wlanapip sysname wlanacname ap-mac wlanapmac ssid

redirect-url wlanuserfirsturl

● Set web auth-server to IP address of Splash Portal IP address:

server-ip 54.247.117.188 ​(Lyzntech Angaza splash portal ip)

port 50100 ​(default port communication between AC and Portal)

url-template u1
source-ip 151.0.208.150 (ip address of the AC)

● Configure an authentication profile

authentication-profile name portal

● Configure a VAP profile and associate it with WLAN and SSID profile.

vap-profile name C4W-huawei

service-vlan vlan-id 200
 ssid-profile C4W-huawei

security-profile C4W-huawei
authentication-profile portal

● Create an AP group and associate it with the VAP profile previously created.en

Network 2 (Switch, APs, and STAs)

● On the switch, create one service VLAN with the same ID configured on AC in tagged

mode(Vlan200) and one for the AP management with the same ID and pool
configured on the AC (Vlan30)

● Create one DHCP server for the STAs and one for the APs (eventually with the option

43 sub option 2) recommended for large networks.